Google Android’s Built-in Rootkit
Friday, June 25th, 2010Today I came across some disturbing news: http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html
It turns out google’s android market can automatedly delete applications from google-based android phones without their users permission. They claim it is to protect end users from malware, just as I’m sure the middle east claims it is building nuclear weapons for their own defense. I can see this growing to be a potentially big problem. I remember Google removing all tetris clones not less than a month ago from the market, but I didn’t realize they could delete the applications off all phones. You would think companies would have learned there lessons over the years? Even Mirosoft now has prompts for their updates and ActiveX controls to run on your computer. I guess history repeats itself.
What if I wanted that malware? I’m a security researcher and I like to study malicious applications. I could very well offload this application off my phone, decompiled it, and tried to see what it is that this person is doing. I couldn’t do that though if the application got deleted.
The fact of the matter is this “feature” google claims to be a protection mechanism can be abused by them to modify data on their users phones. I don’t know about you, but I sure would not feel comfortable if some appliance manufacturer had the authority to come into my home and steal my toaster because it was burning my toast every time I cooked bread. Of course we have all seen recently how google feels about handling other people’s data in the media lately with it’s latest wifi scandals. Are you going to trust them to have the authority over your phone to modify it remotely?
On a different note, I make it a habit not to install third party applications unless they’re open source or come from one of my personal trusted sources, especially if it’s an operating system. However, now that I know google has the power to delete applications off my phone I am probably going to root my android phone and not use google’s firmware anymore.